Three-Tiered Security and Computational Architecture

ABSTRACT

A computing system, method, and storage medium prevent denial of provision of a network service by a server computer to an authorized client device. The computing system receives network service data that include a credential, then transmits that credential to a cloud-based identity system. The computing system responsively receives data pertaining to either zero or one identities related to the credential. If the data pertain to zero identities, the transaction is immediately terminated, preventing denial of the service. Only when the data pertain to exactly one identity does the computing system transmit the data to the server computer. Moreover, the computing system may terminate the transaction unless the server computer is similarly validated by the cloud-based identity system, thereby preventing access from an unauthorized device. The computing system may hide a network address of the client device from the server computer, and vice versa, and perform other useful supporting functions.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.14/712,769, filed May 14, 2015, which claims the benefit of U.S.Provisional Application No. 61/996,704, filed May 14, 2014. The contentsof these above applications are incorporated herein by reference intheir respective entireties.

TECHNICAL FIELD

The present invention relates to multicomputer data transferring, andmore particularly to distributed data processing in which a processingagent provides a cryptographically secure virtual presence for a networkuser.

BACKGROUND ART

Computer systems today are insecure. They suffer from a multitude ofsecurity problems, including system cracking, system disruption, andmalicious impersonation of users. Some malicious persons (“systemcrackers”) break into systems, bypassing or cracking their securitymechanisms. These system crackers can gain access to secure data andsystems, change or corrupt important data, change or corrupt thesecurity systems themselves to install back doors or permit physicalaccess to restricted premises, or commit any number of secondary crimesusing their unauthorized access to sensitive data. Other maliciouspersons can disrupt system function, for example committingdenial-of-service (DoS) attacks by flooding a computer system with anoverwhelming torrent of unwanted and disrupting data, thereby changingor delaying the way a system responds. Such DoS attacks may disruptimportant aviation, public transportation, and emergency responsesystems, leaving our key infrastructure systems vulnerable. Othermalicious persons may impersonate doctors, lawyers, law enforcement, orother trusted personnel to gain access to restricted data and services.For example, a false identity may allow a malicious person havingweapons to gain access to the sterile area at an airport, and board anairplane.

Several solutions to these security problems exist in the art, andinclude: login names and passwords; firewalls to exclude unauthorizedaccess to computer systems; one-time passwords for isolatedtransactions; smartcards, such as those compliant with HSPD-12 and FIPS201; access control lists; and virtual private computer networks, amongothers. One such solution in the prior art is shown in FIG. 1. Here, arequester 100 wishes to gain access to network data and services,represented in the figure by a “processing cloud” 130 that may be asingle server computer or a network of computing resources. Therequester 100 has access to a requester device 110. Typically, therequester 100 will login to the requester device 110 using a user nameand password, as noted above. Next, requester 100 will direct a softwareapplication running on requester device 110 to attempt to contact anetwork service in the cloud 130 using a computer network (not shown).Requester device 110 will normally look up an Internet addressassociated with a name provided for the service, such as www.google.com,using a database service such as the Domain Name Service (DNS), as isknown in the art. Requester device 110 then attempts to contact theservice using the Internet address. Conversely, the service routes allsuch incoming requests through a firewall 120. The firewall providessecurity services, such as prevention of DoS attacks, authorization andauthentication challenges to access the service, port forwarding, virusscanning, and so on. If the firewall 120 determines that the attemptedaccess is legitimate, then it provides requester device 110 a datachannel that permits access to the service. Typically, firewall 120maintains this data channel, but does not otherwise monitor the datathat pass through it. This data channel may be encrypted by both therequester device 110 and the service in the cloud 130, using techniquesknown in the art such as SSL. Once the transaction is complete, the datachannel is “torn down” to free up processing resources on requesterdevice 110, firewall 120, and cloud service 130.

Such prior art security measures generally establish system protectiononce, at the perimeter of the system being secured, not within thesystem itself. They are concerned with protecting access to the securecomputing resources, such as the communications channels, rather thanprotecting the data that is transmitted to and from these resources-oncea malicious person has gained access, they may remove sensitive datawithout further challenge. Further, the access restrictions of the priorart are performed before, or as part of, any determination of theidentity of the person requesting the access. Thus, they suffer fromimpersonation attacks and man-in-the-middle (MitM) attacks. Even worse,in systems that perform encryption and decryption operations, theseoperations must be conducted by and on “thin” client devices, such assmart phones, that do not have a great deal of computing power in thefirst instance. The systems in the art for distributing encryption anddecryption keys to the millions of such devices are cumbersome,expensive, and do not scale well.

End user systems, even those that use encryption, cannot be fullytrusted in a secure environment due to the threat of compromise. Oncesystem security is cracked by a malicious user (“system cracker”), thesystem cracker can masquerade as a legitimate user by accessing the dataand algorithms stored in and used by the system. These “artifacts” ofthe identity processes, present on all end user systems that performsecure transactions, provide an unwanted attack vector againsttransaction systems that rely on verified identities, decreasing thesecurity and reliability guarantees offered by these systems.

SUMMARY OF ILLUSTRATED EMBODIMENTS

To address the aforementioned disadvantages, illustrated embodiments ofthe present invention provide a “personal security server”, or PSS. APSS is a proxy system interposed between the client device and themultitude of network services that provides cryptographic isolationbetween the client device and the server computer that provides theservice. Such a system may be used in addition to a firewall or otherperimeter device to supplement the functionality of that device. The PSSprevents the client device from obtaining any information about theserver computer, including its network address, and prevents the servercomputer from obtaining any information about the client device that isrequesting the service. Access to service authorization data requiresinput that can only be provided by the user of the client device.

Compromise of any of the devices in the three-tiered securityarchitecture no longer can result in execution of an unauthorizedtransaction or identity theft. If the client device or PSS iscompromised, the malicious user is unable to access any servicespreviously accessed by the client device because such access may only beobtained through the PSS, which requires separate authorization from theproper user of the client device using a biometric or a password. If theserver computer or PSS is compromised, the attacker will find nopersonal information of the user that can be used to steal the user'sidentity.

Thus, a first embodiment of the invention is a computing system forproviding cryptographic isolation between a client device and a servercomputer for providing a network service to the client device. Thecomputing system has four components: a first data port coupled to theclient device; a second data port coupled to the server computer; anon-transitory, tangible storage medium; and a computing processor.

The storage medium stores an encryption, using an irreversibleencryption algorithm, of original user authentication data that are afunction of a unique property of the client device and a unique propertyof a user of the client device. The storage medium also stores anencryption, using a reversible encryption algorithm that uses theoriginal user authentication data as a decryption parameter, of serviceauthorization data required by the server computer to be presented tothe server computer as a condition of permitting the user to access thenetwork service.

The computing processor is configured to receive purported userauthentication data in combination with a request to access the networkservice, and in response to such receipt, to perform four processes. Thefirst process is encrypting the purported user authentication data usingthe irreversible encryption algorithm to produce encrypted purporteduser authentication data. The second process is decrypting theencryption of the service authorization data to produce decryptedservice authorization data, but only when the encrypted purported userauthentication data matches the stored encryption of the original userauthentication data. The third process is presenting, to the servercomputer using the second data port, the decrypted service authorizationdata in combination with a request to access the network service onbehalf of the user. The fourth process is, upon receipt in the computingsystem from the server computer of data indicating that the user isauthorized to access the network service, exchanging service databetween the client device using the first data port and the servercomputer using the second data port.

Various refinements of the basic system are contemplated. In particular,the client device may be a desktop computer, laptop computer, tabletcomputer, or smartphone. The first data port may be coupled to a localarea network. The second data port may be coupled to the Internet. Theirreversible encryption algorithm may include a cryptographic hashfunction. The reversible encryption algorithm may be a public keyencryption algorithm or a symmetric encryption algorithm. The uniqueproperty of the client device may include a universally uniqueidentifier (UUID) or a globally unique identifier (GUID). The uniqueproperty of the user of the client device may be a biometric or apassword known only to the user. The computing processor may be furtherconfigured to perform cryptographic data communications over the firstdata port using a secret shared only between the computing system andthe client device. The computing processor may be further configured toperform cryptographic data communications over the second data portusing a secret shared only between the computing system and the servercomputer. And the computing processor may be further configured to avoidcommunicating a network address of the client device to the second dataport, and to avoid communicating a network address of the servercomputer to the first data port.

Another embodiment of the invention is a method of providingcryptographic isolation between a client device and a server computerfor providing a network service to the client device, using a computingsystem that intermediates between the client device and server computer.The method includes six processes. The first process is, at the requestof the client device, storing by the computing system, an encryption,using an irreversible encryption algorithm, of original userauthentication data that are a function of a unique property of theclient device and a unique property of a user of the client device. Thesecond process is, at the request of the server computer, storing by thecomputing system, an encryption, using a reversible encryption algorithmthat uses the original user authentication data as a decryptionparameter, of service authorization data required by the server computerto be presented to the server computer as a condition of permitting theuser to access the network service.

The remaining processes occur upon receipt in the computing system, ofpurported user authentication data in combination with a request toaccess the network service. The third process is encrypting thepurported user authentication data using the irreversible encryptionalgorithm to produce encrypted purported user authentication data. Thefourth process is decrypting the encryption of the service authorizationdata to produce decrypted service authorization data, but only when theencrypted purported user authentication data matches the storedencryption of the original user authentication data. The fifth processis presenting, to the server computer, the decrypted serviceauthorization data in combination with a request to access the networkservice on behalf of the user. The sixth process is, upon receipt in thecomputing system from the server computer of data indicating that theuser is authorized to access the network service, exchanging servicedata between the client device and the server computer.

The refinements describe above with respect to the system embodiment mayalso be applied to the method embodiment.

A third embodiment of the invention is a non-transitory, tangiblestorage medium in which is stored computer program code for providingcryptographic isolation between a client device and a server computerfor providing a network service to the client device, using a computingsystem that intermediates between the client device and server computer.The storage medium comprises computer program code for performing theprocesses of the method embodiment described above. The storage mediummay also include computer program code for performing any of therefinements of the method embodiment.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing features of embodiments will be more readily understood byreference to the following detailed description, taken with reference tothe accompanying drawings, in which:

FIG. 1 schematically shows a prior art client-server architecture;

FIGS. 2A and 2B schematically show different embodiments of a threetiered security architecture in accordance with the present invention;

FIG. 3 schematically shows a PSS computing system in accordance with anembodiment of the invention;

FIG. 4 is a flowchart that illustrates a method of initializing a PSS inaccordance with an embodiment of the invention;

FIG. 5 is a flowchart that illustrates a method of providingcryptographic isolation between a client device and a server computerusing a PSS, in accordance with an embodiment of the invention; and

FIG. 6 is a flowchart that illustrates a method of auditing a networkservice using a secondary PSS in accordance with an embodiment of theinvention.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

A computing system, method, and computer program product providecryptographic isolation between a client device and a server computerfor providing a network service to the client device. The computingsystem stores encrypted user authentication data of the client deviceand its user, and encrypted service authorization data of the servercomputer in such a way that neither the client device nor the servercomputer can obtain information about the other. Upon subsequent receiptin the computing system of purported user authentication data and arequest to access the network service, the computing system encrypts thepurported authentication data and compares it against the stored,encrypted data. Only when these encrypted data match is the computingsystem able to decrypt the service authorization data and provide it tothe server computer to gain access to the network service.

Illustrative embodiments of the invention add an additional computationlayer to the standard client-server model to provide a three wayarchitecture having enhanced security. Various embodiments of athree-tiered security architecture 200 a and 200 b are schematicallyillustrated in FIGS. 2A and 2B, respectively. A computational unit 210,called a Personal Security Server or PSS (which may also be referred-toas a “Personal Server”), participates in, and secures, all communicationbetween a client requester device 201 and a server cloud 230. The servercloud 230 may host applications software, which applications may bereferred to as “cloud application”. The existence of a “cloudapplication” implies server computer hardware that hosts applicationssoftware. A PSS 210 may be implemented on a dedicated item of computerhardware, or on one or more client requester devices 201. The PSS 210 iscoupled to a communications network 240, such as a local area network(as in FIG. 2A) or the Internet (as in FIG. 2B), for example.

FIG. 3 schematically shows a PSS computing system 210 in accordance withan embodiment of the invention. The PSS computing system 210 includesfour components: two data ports 211 and 212, a computing processor 213,and a storage medium 214. These are now described in turn.

A first data port 211 couples the PSS 210 to the client requester device201 over a first data network. As described above, the first datanetwork may be a local area network, although other embodiments may useother data networks such as, without limitation, a cellular telephonenetwork, a satellite network, or the Internet. A second data port 212couples the PSS 210 to a server computer in the server cloud 230 over asecond data network. As described above, the second data network may bethe Internet, but any other data network may be used. Each data port211, 212 may be a Wi-fi port, an Ethernet port, a radio port, or anysimilar technology known in the art to provide a data connection.

A non-transitory, tangible storage medium 214 provides volatile storagefor the PSS 210. In one embodiment, the storage medium 214 is a solidstate memory that provide rapid access to stored data, although othertypes of memory may be used in other embodiments. If non-volatilestorage is desired (for example to provide a permanent audit log oftransactions), the PSS 210 may include, or be coupled to, a separatestorage medium (not shown), such as a hard disk drive, storage areanetwork, or network attached storage.

In accordance with illustrated embodiments, the storage medium 214stores two types of encrypted data. The first type of data pertains touser authentication and uniquely ties the PSS 210 to the client device201, while the second type of data pertains to service authorization andpermits the PSS 210 to access the server computer in the server cloud230 on behalf of the user. These data are provided during aninitialization phase described in more detail in connection with FIG. 4,and used during a transactional phase described in more detail inconnection with FIG. 5. Out-of-band auditing of transaction history isillustrated in FIG. 6.

The computing processor 213 performs a number of tasks related toimplementing cryptographic isolation, described in more detail below inconnection with FIGS. 4-6. It may be implemented using a microprocessor,or similar mechanism known in the art, in combination with a set ofinstructions for performing these tasks (i.e., computer program code).

FIG. 4 is a flowchart that illustrates a method of initializing a PSS inaccordance with an embodiment of the invention. A PSS stores one set ofencrypted user authentication data for each authorized user of theclient device, which is typically a small number, but it storesencrypted service authorization data for each service that the user(s)may access, which may be dozens or hundreds of services (or more).

In a first process 410, the PSS receives original user authenticationdata from the client device. These authentication data are a function ofa unique property of the client device and a unique property of a userof the client device. The unique property of the client device may beany property that serves to uniquely identify the client device, such asa universally unique identifier (UUID) or a globally unique identifier(GUID) as those terms are known in the art. The unique property of theuser may be any property that serves to uniquely identify the user, suchas a biometric or a password known only to the user. These data arecombined using a given function (such as concatenation and truncation,although other functions may be used) to form data sufficient to act asan encryption key for a reversible encryption algorithm described inmore detail below.

Once the PSS has sufficient data to permit it to authenticate validaccesses from the user and the client device, it begins a loop to storeauthorization data that will eventually permit it to connect to multiplenetwork services. In some embodiments, these authorization data are sentfrom the client device to the PSS using an application, or smartphoneapp. Optionally, at this point in the initialization method the PSS maysecurely transmit the application or app to the client device. In analternate embodiment, the app may already be installed in the clientdevice.

Regardless how the app appears in the client device, once a securecommunications channel has been established between the PSS and theclient device, in process 420 the PSS receives specific servicecredentials from the client device. These credentials include all datanecessary for the user to access the network service, and may includesuch routine items as an account name or number, an email address, ausername, a user password, a transactional password, and so on as knownin the art. During process 420, the PSS updates its secure audit log toreflect receipt of credentials (without storing the credentialsthemselves in the log).

In process 430, the PSS establishes a secure connection to the servercomputer that performs the service, and sends the credentials to theserver computer to establish a service authorization. In a preferredembodiment, a network address (e.g. host name or IP address) of theserver computer for this connection is identified by reference to therequested network service only, in such a way that the client device hasno knowledge of the network address. This identification may beperformed, for example, by consulting a service registry that mapsservice identifiers to network addresses and/or a technical descriptionof the protocol by which to connect to the service.

The PSS “logs in” to the server computer using the provided servicecredentials. If contact can be established and the login credentials arecorrect, the server computer returns to the PSS the serviceauthorization data, which may be a data token. This token or otherauthorization may then be used by the PSS at a later time to log intothe service. If the login is not successful, the PSS notifies the clientdevice and returns to process 420.

If the login was successful and the PSS received a serviceauthorization, in process 440 the PSS encrypts the authorization dataand stores the encrypted copy. The encryption is performed using areversible encryption algorithm, such as a public key encryptionalgorithm or a symmetric encryption algorithm as known in the art. Thesealgorithms are reversible because they permit decryption of encrypteddata using a decryption key. In accordance with illustrated embodimentsof the invention, the decryption key includes the user authenticationdata. In this way, only the given user, accessing the PSS from the givenclient device, may decrypt the service authorization at a later time.

Once the encrypted service authorization data have been stored, inprocess 450 the PSS securely erases from its memory the unencrypted copyof these data. This process 450 ensures that any system crackerimmediately cannot gain access to the unencrypted authorization token.Thus, preferably processes 440 and 450 are performed in a securehardware environment, such as a hardware security module (HSM) as knownin the art.

In process 460, the PSS notifies the client device that authorization tolater use the given service has been obtained. In some embodiments,process 460 occurs on a “push” or asynchronous basis, to permit rapidreceipt of service credentials from the client device while variousservices are simultaneously contacted in parallel. Such parallelprocessing can speed up the initialization process greatly if somenetwork services are slow to establish contact or create serviceauthorization data.

In process 470 the PSS determines whether there are more services toinitialize. Typically, this process is accomplished using a proprietaryprotocol between the PSS and an app in the client device, and methodsfor doing so are well known. If additional services must be initialized,the method returns to process 420. However, if no additional servicesmust be initialized, the method continues to process 480, in which theoriginal user authentication data are encrypted using an irreversibleencryption algorithm, the encrypted copy is stored, and the unencryptedcopy is securely erased from the memory of the PSS. The irreversibleencryption algorithm may be, for example, a cryptograph hash function,as that phrase is known in the art. The process 480 ensures that theunencrypted authentication data do not linger on the PSS, preventing asystem cracker who gains access to the PSS from decrypting any serviceauthorization data. The process 480 simultaneously ensures thatsubsequent receipt of user authentication data can be validated bycomparison with the stored hash.

As an added security measure, all data transmission and receptionbetween the PSS and the client device (and between the PSS and theserver computer) may be accomplished using a cloud-based identitysystem. One such system is disclosed in U.S. Pat. No. 8,667,269,entitled “Efficient, Secure, Cloud-Based Identity Services”, thecontents of which are incorporated herein by reference in theirentirety. In accordance with this security measure, the PSS may verifythe identity of the device and/or user of each message (purportedly fromthe client device or the server computer) independently of the processesdescribed herein, and abort the transaction if the message arrives froman unexpected source.

FIG. 5 is a flowchart that illustrates a method of providingcryptographic isolation between a client device and a server computerusing a PSS, according to an embodiment of the invention. In accordancewith this embodiment, the client device no longer communicates directlywith the remote server computer. When the remote service needs to beused, the PSS acts as a cryptographically isolating proxy. The clientdevice sends encrypted transmissions to the PSS, which decrypts themessage and determines the message validity. If valid, the message isre-encrypted to be readable only by the remote application. The validitycheck can be minor or extensive, and may include messages to othersystem and databases as known in the art.

The operational phase of the PSS is a loop. In the first process 510 ofthe loop, the PSS receives purported user authentication data incombination with a request to access a network service of the servicecloud. At this point in the method, the PSS must assume that the requestis a spoof—initiated by a malicious user, in some embodiments, a PSS 210may determine that the request is false if it does not arrive using thedata port 211. However, even if the request did come from the data port211, it may have been generated without the user's permission (forexample, if control of the requester device 201 has been taken over by amalicious user). Therefore, the message requires validation in allcases.

With reference to FIG. 3, a PSS 210 may build a profile of the user of aclient device 201, and use details from that profile to assess thevalidity of a message purporting to be from that user. Such a userprofile may include the PSS audit log mentioned above. The PSS log islike a fingerprint in that it uniquely identifies the user, since thechance of another user having an identical PSS log are infinitesimallysmall. The user profile may also include information such as one or moreIP addresses from which a client device 201 has sent messages orotherwise accessed the PSS 210. As another example, if the client device201 is capable of ascertaining and transmitting its geographic location,the user profile may include the geographic location from which theclient device 201 has sent messages or otherwise accessed the PSS 210.Any communication from the client device 201 may be checked against theuser's profile to assess whether the message is actually from the user.

A system cracker who has gained access to the user's credentials (e.g.,user name, password) may attempt to imitate the user, but the PSS 210would recognize that the computer from which the hacker contacts the PSSdoes not have the same user log (e.g., fingerprint), or is communicatingfrom a different, unfamiliar IP address. If a cracker obtains a clientdevice 201 and attempts to use the device to communicate to or throughthe PSS 210, the PSS 210 may recognize that the device is communicatingfrom an unusual or unfamiliar geographic location. For example, if athief obtains and uses the smart phone of a user who lives in New YorkCity and who has historically accessed the PSS 210 from geographicallocations, the thief's use of the smart phone from San Diego would beflagged as suspicious by the PSS 210. The PSS 210 may then decline toprocess the communication from the smart phone 201, or may requestadditional verification from the user using an alternate, out-of-bandcommunications channel.

As a final check of message validation, process 520 encrypts thepurported authentication data using the same algorithm as the original,verified authentication data, and in process 530 the encrypted purporteddata are compared to the stored, encrypted, verified data. If thevalidation is unsuccessful, in process 540 the PSS logs the error in itssecure audit log, terminates the transaction, and may optionally takeother threat-protection measures known in the art. For example, the PSSmay notify the sending of the purported user authentication data thataccess was denied, and permit a number of additional attempts tovalidate the data before the PSS permanently denied access and requiresre-authentication. Then, the method returns to process 510 and the PSSawaits the next service access request.

However, if the validation is successful, that fact is also logged bythe PSS in process 550, and the transaction is allowed to proceed. ThePSS log of successes and failures is may be stored in the storage medium214, or in another location. It may never be altered, however based onits size it may be archived to other devices external to the PSS.

In process 560, the purported authentication data, which have now beenverified as genuine, are used to decrypt the service authorization datastored during initialization for the particular service requested, andthe decrypted service authorization data are securely transmitted to theserver computer. As noted above, this communication, and subsequentcommunications required to establish a session, may use the securecloud-based identity services of U.S. Pat. No. 8,667,269.

Decryption of the service authorization data requires using the originaluser authentication data as a decryption parameter, to prevent anyoneother than the original user from accessing the service. Although theoriginal, unencrypted authentication data are not stored in the PSS (asdescribed above in connection with FIG. 4), the match between theencrypted received authentication data and the stored, encryptedoriginal authentication data means that the received purported data areactually the same as the original data. Thus, the receivedauthentication data may be used in their unencrypted form as asubstitute for the original data to decrypt the service authorizationdata. Once the decryption is complete and the unencrypted serviceauthorization data are recovered, the PSS once again securely deletesthe authentication data.

Finally, in process 570, the PSS receives an indication from the servercomputer that it has accepted the service authorization data and begun atransaction session. In response, the PSS begins to exchange servicemessages between the client device and the server computer according tothe protocol of the network service. When the transaction has beencompleted, the method returns to process 510 to await the next serviceaccess request.

In addition to the validation steps that the PSS performs, many othercomputations may be done. Computations could be offloaded from theclient device (e.g. using the architecture of FIG. 2A) or from thenetwork service (e.g. using the architecture of FIG. 2B). With respectto the latter possibility, since the client device has no control overthe PSS, secure transactions can be accomplished for the networkservice, advantageously providing service scalability. In one embodimenteach user has a single PSS. In this embodiment, the network service isnot limited by the size of its owned hardware, but may expand to includea multitude of PSSes as a secure computing resource, thus “extending thecloud”. In another embodiment, each user has a single PSS for eachnetwork service, providing cryptographic isolation between differentnetwork services at the client side of the network, rather than theserver side.

FIG. 6 is a flowchart that illustrates an out-of-band method of auditinga network service using a secondary PSS in accordance with an embodimentof the invention. The method shown in FIG. 6 assumes that a primary PSSis processing requests for network services according to FIGS. 4 and 5,and moreover is providing real-time access to its audit log to asecondary, auditing PSS. It should be appreciated that auditing andfraud notification is only one application of the extended cloud.

In process 610, the secondary PSS receives streamed audit log data fromthe primary PSS. Simultaneously, in process 620, the secondary PSSreceives an output of the network services provided by the primary PSS.Any network service that produces a publicly consumable output streammay be monitored by process 620. For example, if one network serviceaccessed by the client device is TWITTER, process 620 includesmonitoring the user's TWITTER feed.

In process 630, the audit log data are compared to the public outputstream to determine whether each output matches a corresponding logentry. The PSS must have a corresponding transaction for each streamentry the stream has for our user, and the authorized user had toinitiate the transaction. The stream may contain additional data elementthat can be check such destination, dollars amounts or any other datathe would carried from input to output with changing. All of these dataelement will be compared to the original transaction. These must matchbased on application. In this way, a computer failure such as malware,virus or malfunction that effects the transaction data can beidentified.

If the audit logs match the output stream, then the method continues toprocess 640, in which the secondary PSS provides the primary PSS with aregular indication that all is well. However, if the audit log data donot match the public output stream, the method continues to process 650,in which the secondary PSS immediately notifies the primary PSS of thediscrepancy. If a log entry exists but there is no corresponding outputin the public output stream, it may be that the network serviceexperienced a problem executing a request. Conversely, if an outputexists in the public output stream but there is no corresponding logentry, it may be that the network service received a spoofed requestfrom a source other than the PSS, and that therefore the user's logincredentials have been compromised. In either case, the reliability ofthe client-server relationship has been compromised, and in process 660the secondary PSS initiates threat protection procedures. Suchprocedures may include, without limitation: instructing the networkservice to disable the user's login credentials; sending an email, text,or automated telephone call to a monitoring center; and contacting theuser via an out-of-band communications facility that does not rely onthe client device.

Various embodiments of the invention may be implemented at least in partin any conventional computer programming language. For example, someembodiments may be implemented in a procedural programming language(e.g., “C”), or in an object oriented programming language (e.g.,“C++”). Other embodiments of the invention may be implemented aspreprogrammed hardware elements (e.g., application specific integratedcircuits, FPGAs, and digital signal processors), or other relatedcomponents.

In an alternative embodiment, the disclosed apparatus and methods may beimplemented as a computer program product for use with a computersystem. Such implementation may include a series of computerinstructions fixed either on a tangible medium, such as a non-transientcomputer readable medium (e.g., a diskette, CD-ROM, ROM, or fixed disk).The series of computer instructions can embody all or part of thefunctionality previously described herein with respect to the system.

Those skilled in the art should appreciate that such computerinstructions can be written in a number of programming languages for usewith many computer architectures or operating systems. Furthermore, suchinstructions may be stored in any memory device, such as semiconductor,magnetic, optical or other memory devices, and may be transmitted usingany communications technology, such as optical, infrared, microwave, orother transmission technologies.

Among other ways, such a computer program product may be distributed asa removable medium with accompanying printed or electronic documentation(e.g., shrink wrapped software), preloaded with a computer system (e.g.,on system ROM or fixed disk), or distributed from a server or electronicbulletin board over the network (e.g., the Internet or World Wide Web).Of course, some embodiments of the invention may be implemented as acombination of both software (e.g., a computer program product) andhardware. Still other embodiments of the invention are implemented asentirely hardware, or entirely software.

The embodiments of the invention described above are intended to bemerely exemplary; numerous variations and modifications will be apparentto those skilled in the art. All such variations and modifications areintended to be within the scope of the present invention as defined inany appended claims.

What is claimed is:
 1. A computing system for preventing denial ofprovision of a network service by a server computer to an authorizedclient device, the computing system comprising: a first data portcoupled to the authorized client device using a first communicationsnetwork; a second data port coupled to the server computer using asecond communications network; and a computing processor coupled to thefirst data port and second data port, the computing processor configuredto: receive, using the first data port, network service data thatinclude a client credential; transmit the client credential to acloud-based identity system; responsively receive, from the cloud-basedidentity system, data pertaining to either zero or one identities thatwere validated using the transmitted client credential; and transmit thenetwork service data to the server computer using the second data portonly when the responsively received data pertain to exactly oneidentity.
 2. A computing system according to claim 1, wherein theauthorized client device comprises a desktop computer, or a laptopcomputer, or a tablet computer, or a smartphone.
 3. A computing systemaccording to claim 1, wherein the first communications network comprisesa local area network.
 4. A computing system according to claim 1,wherein the second communications network comprises the Internet.
 5. Acomputing system according to claim 1, wherein the credential is asurrogate certificate identifier that is specific to a user of theauthorized client device.
 6. A computing system according to claim 1,wherein the computing processor is further configured to avoidcommunicating a network address of the client device to the servercomputer using the second data port, and to avoid communicating anetwork address of the server computer to the client device.
 7. Acomputing system according to claim 1, wherein the computing processoris further configured to: receive, from the server computer using thesecond data port, network service data that include a server credential;transmit the server credential to the cloud-based identity system;responsively receive data pertaining to either zero or one identitiesthat the cloud-based identity system has validated using the servercredential; and only when the responsively received data pertain toexactly one identity, transmit the network service data to theauthorized client device using the first data port.
 8. A computingsystem according to claim 1, wherein the network service data includedata for changing another network service provided by the servercomputer, or data for changing a security feature of the servercomputer, or data for impersonating a user of the authorized clientdevice, or any combination of these.
 9. A method of preventing denial ofprovision of a network service by a server computer to an authorizedclient device, the method comprising executing, by a computing systemhaving a first data port coupled to the authorized client device using afirst communications network and a second data port coupled to theserver computer using a second communications network, processescomprising: receiving, using the first data port, network service datathat include a client credential; transmitting the client credential bythe computing system to a cloud-based identity system; responsivelyreceiving, by the computing system from the cloud-based identity system,data pertaining to either zero or one identities that were validatedusing the transmitted client credential; and transmitting the networkservice data to the server computer using the second data port only whenthe responsively received data pertain to exactly one identity.
 10. Amethod according to claim 9, wherein the authorized client devicecomprises a desktop computer, or a laptop computer, or a tabletcomputer, or a smartphone.
 11. A method according to claim 9, whereinreceiving using the first data port includes receiving from a local areanetwork, or receiving using the second data port includes receiving fromthe Internet, or both.
 12. A method according to claim 9, furthercomprising: avoiding communicating a network address of the clientdevice to the server computer using the second data port; and avoidingcommunicating a network address of the server computer to the clientdevice.
 13. A method according to claim 9, further comprising:receiving, from the server computer using the second data port, networkservice data that include a server credential; transmitting the servercredential to the cloud-based identity system; responsively receivingdata pertaining to either zero or one identities that the cloud-basedidentity system has validated using the server credential; and only whenthe responsively received data pertain to exactly one identity,transmitting the network service data to the authorized client deviceusing the first data port.
 14. A method according to claim 9, whereinthe network service data include data for changing another networkservice provided by the server computer, or data for changing a securityfeature of the server computer, or data for impersonating a user of theauthorized client device, or any combination of these.
 15. A computerprogram product comprising a tangible, non-transitory, computer readablestorage medium, having stored thereon a computer program which, whenexecuted by a computing system having a first data port coupled to theauthorized client device using a first communications network and asecond data port coupled to the server computer using a secondcommunications network, causes the computing system to perform processesfor preventing denial of provision of a network service by a servercomputer to an authorized client device, the processes comprising:receiving, using the first data port, network service data that includea client credential; transmitting the client credential by the computingsystem to a cloud-based identity system; responsively receiving, by thecomputing system from the cloud-based identity system, data pertainingto either zero or one identities that were validated using thetransmitted client credential; and transmitting the network service datato the server computer using the second data port only when theresponsively received data pertain to exactly one identity.
 16. Astorage medium according to claim 15, wherein the process for receivingusing the first data port includes receiving from a desktop computer, ora laptop computer, or a tablet computer, or a smartphone.
 17. A storagemedium according to claim 15, wherein the process for receiving usingthe first data port includes receiving from a local area network, or theprocess for receiving using the second data port includes receiving datafrom the Internet, or both.
 18. A storage medium according to claim 15,wherein the processes further include: avoiding communicating a networkaddress of the client device to the server computer using the seconddata port; and avoiding communicating a network address of the servercomputer to the client device.
 19. A storage medium according to claim15, wherein the processes further include: receiving, from the servercomputer using the second data port, network service data that include aserver credential; transmitting the server credential to the cloud-basedidentity system; responsively receiving data pertaining to either zeroor one identities that the cloud-based identity system has validatedusing the server credential; and only when the responsively receiveddata pertain to exactly one identity, transmitting the network servicedata to the authorized client device using the first data port.
 20. Astorage medium according to claim 15, wherein the network service datainclude data for changing another network service provided by the servercomputer, or data for changing a security feature of the servercomputer, or data for impersonating a user of the authorized clientdevice, or any combination of these.